For years, WPackagist was the go-to Composer repository for WordPress plugins and themes. In March 2026, WPackagist was acquired by WP Engine, a private-equity backed company. Tooling this central to the WordPress Composer workflow shouldn't be owned by a single corporation — it should be independent and community-funded.
How they compare
| WP Packages | WPackagist | |
|---|---|---|
| Ownership | Independent, maintained by Roots | WP Engine (private equity) |
| Open source | Fully open source — application, infrastructure, deployment, and operational tooling all live in the public repo. Every commit is what runs in production. Contributions welcome | Application source and Docker build are public, but production infrastructure (cloud provisioning, environment configuration, CI/CD) is not — the running service can't be reproduced from the public repo. The repo has also historically diverged from what's actually deployed |
| Funding | Community-funded via GitHub Sponsors | Corporate-funded |
| Package naming | wp-plugin/* wp-theme/* |
wpackagist-plugin/* wpackagist-theme/* |
| Package metadata | Includes plugin/theme authors, description, homepage, and support links in Composer metadata | Missing — requested since 2020 |
| Update frequency | Every 5 minutes | ~1.5 hours (estimated — infrastructure is not open source) |
| Governance | Open roadmap, community collaboration | Corporate decision-making |
| Untagged plugin installs | Pinned to SVN revision — composer.lock is reproducible |
Mutable trunk zip with cache-busting timestamp — composer.lock is not reproducible — this can cause unexpected plugin updates |
| Closed plugins & themes | Removed in lockstep with WordPress.org — matches wp.org's own behavior, where closed plugins are no longer downloadable. Closures are tracked on the status page and exposed via the closures API | Continues serving closed plugins indefinitely with no notice — users can unknowingly install plugins closed years ago for security or abandonment |
| Install statistics | Per-package install stats — transparency for the community and package authors to see how many times their packages are installed via Composer | No install statistics |
| Public status page | Real-time status page with build history, package changes, and closure tracking | No status page |
Closed plugins
When the WordPress.org plugin directory closes a plugin — typically for security vulnerabilities, author abandonment, or guideline violations — the plugin is no longer downloadable from wp.org. WP Packages mirrors this behavior: closed plugins are removed from the repository, so Composer cannot install or upgrade to a closed version.
WPackagist continues serving closed plugins with no notice to users. We've heard from developers who migrated to WP Packages and discovered they had been depending on plugins that wp.org closed years earlier — including some closed for security reasons. If your composer.lock references a plugin wp.org has since closed, WP Packages surfaces it; WPackagist silently keeps installing it.
All currently closed plugins are listed on the status page and available via the closures API.
Performance
WP Packages supports Composer v2's metadata-url protocol, which lets Composer fetch metadata for only the packages it needs. WPackagist still uses the older provider-includes approach, which forces Composer to download large index files containing metadata for thousands of packages before it can resolve your dependencies.
Composer resolve times
Cold resolve (no cache) — lower is better.
| Plugins | WP Packages | WPackagist | Speedup |
|---|---|---|---|
| 10 plugins | 0.7s | 12.3s | 17x faster |
| 20 plugins | 1.1s | 19.0s | 17x faster |
Metadata & caching
| WP Packages | WPackagist | |
|---|---|---|
| Composer v2 metadata-url | Yes | No |
Metadata changes feed (metadata-changes-url) |
Yes | No |
| CDN caching | public, max-age=300 |
no-cache, private |
| Per-package files | Immutable, content-addressed, cached indefinitely | Not content-addressed |
Benchmarks run from a single location using Composer 2.7+. Results may vary by region and network conditions. Benchmark scripts are open source.
The case for independence
WPackagist was originally built and maintained by Outlandish, who operated the service for over a decade. In its later years, the project suffered from neglect — slow updates, limited maintenance, and no meaningful community input into its direction.
Its acquisition by WP Engine raises important questions. When infrastructure this foundational to the WordPress developer workflow is controlled by a single corporation, the community loses its voice. Decisions about availability, pricing, and direction are made in boardrooms, not in the open.
WPackagist publishes its application code, a Dockerfile, and a handful of deployment helpers — but not the production infrastructure that runs the service. Cloud provisioning, environment configuration, CI/CD — all proprietary. The public repo is enough to build the container, not enough to reproduce the running service.
The public repo has also diverged from production at times: gaps the community has had to catch and report (e.g. #556, #557) before they were addressed. With infrastructure closed, there's no built-in way for outside observers to know when the public source no longer reflects what's actually running. WP Packages takes the opposite approach: every component that runs the service — the Go application, the Ansible playbooks, the Caddy configuration, the database tooling — lives in the public repo. The codebase is what runs in production, and anyone can clone it and spin up their own instance.
Built by Roots, maintained since 2011
WP Packages is built by Roots, the team behind Bedrock, Sage, Trellis, and Acorn. Since 2011, Roots has been continuously improving and maintaining open source WordPress tooling. We pioneered the use of Composer in WordPress development and have a proven track record of long-term commitment to the ecosystem.
WP Packages is fully open source and designed for community collaboration. Every line of code is public, contributions are welcome, and the project's direction is shaped by the developers who use it.
The repository includes everything needed to run your own instance: the application code, documentation on how it all works, and the full Ansible setup for deploying to production. Anyone can fork it and build their own WordPress Composer repository.
Community-funded, community-driven
Unlike corporate-backed alternatives, WP Packages is funded entirely by the community through GitHub Sponsors. Your sponsorship directly supports the infrastructure, development, and maintenance of WP Packages and the broader Roots ecosystem.
Sponsoring Roots means investing in independent, community-funded WordPress tooling that serves developers — not shareholders.
Support independent WordPress tooling
Help us keep WP Packages independent and freely available for every WordPress developer.
Sponsor Roots on GitHubMigrating from WPackagist
Switching from WPackagist takes one command. Use the migration script to automatically update your composer.json:
curl -sO https://raw.githubusercontent.com/roots/wp-packages/main/scripts/migrate-from-wpackagist.sh && bash migrate-from-wpackagist.sh
Manually migrate
Remove WPackagist packages:
composer remove wpackagist-plugin/woocommerce
Remove the WPackagist repository and add WP Packages:
composer config --unset repositories.wpackagist && composer config repositories.wp-packages composer https://repo.wp-packages.org
Require packages with the new naming:
composer require wp-plugin/woocommerce
